PatchWiz Kaboom!

Recently I was reading a thread in microsoft.public.platformsdk.msi where Jim Keir stumbled into a whopper of an MSI bug:

I’ve found a huge, steaming bug in PatchWiz 4.0.6000 . Under some circumstances, sadly those described in the SDK patching example, it can erase all writeable files on your drive.

To reproduce (carefully): – Provide suitable PCP and source/target folders – Call UiCreatePatchPackage with the optional hWnd parameter set to NULL and RemoveTempFolderIfPresent set to FALSE. Harmless, right?

Internally (I’ve debugged this) the ascii version convert the strings to wide-char and then pass them to UiCreatePatchPackageW . This unconditionally sets 0x8000 in the flags field, then it passes it all to UiCreatePatchPackageExW . That bombs because the UIALL flag (0x8000) is set and the window parameter is null. The error-handling then kicks in but it appears that some internal defaults haven’t yet been overwritten. It tries to delete the temp folder despite being told not to both in the function call *and* the PCP, and also hasn’t yet set the temp folder location. It seems that another internal call fails (code 87) with the result that it deletes every writable file on the drive.

The corresponding logfile line is: ERROR: During cleanup, could not delete the temporary folder: .

Rather annoyed. As you might imagine. Don’t believe me? Go ahead and try it 😉

Furthor posts seem to confirm that this bug is real. Fortunatly I still develop on Windows XP with InstallShield 2008 so fortunatly I’m still on PatchWiz.dll3.1.4000.2049.

Still, something to watch out for, especially if you are tools developer or roll you own kind of guy.